Possibility to lock iptables rules.

R. DuFresne dufresne at sysinfo.com
Wed Apr 20 23:02:41 CEST 2005

Hash: SHA1

Which is the number  one reason that a network's firewall should serve no 
other purpose then that, firewalling the network, and not allow outside 
nor most inside systems/users to connect to it, only those managing it.

Even immutable flgs can be undone on a server that is hacked and root 
gained.  And what you are requesting requires their be no modules on the 
system, everything has to be compiled directly into the kernel, including 
all the modules that iptables now deppends upon and uses.  You'd be much 
better off and safer to just not let the average user beable to connect to 
and enter the firewall.


Ron DuFresne

On Wed, 20 Apr 2005, Anders Fugmann wrote:

> Hi,
> I would like to request a very simple feature: The possibility to lock
> all iptable rules in the kernel, making them immutable.
> This would be usefull on machines which act both as a firewall and as a
> server. The problem today if an unwanted guest manages to break into the
> machine running the firewall and becomes root, the person can easilly
> change the rules, compromising the network guarded by the hacked
> firewall.
> If it was somehow possible to lock the rules once setup, the attacker
> would be unable to modify the rules, the network guarded by the firewall
> would not (pending on how the firewall was setup) not be compromised,
> even if an attacker gained access to the firewall itself.
> I was thinking something in the lines of:
> iptables --lock [--action <PANIC|LOG>],
> where 'action' would specify how the machine should react if anyone was
> to try and modify the rules. PANIC would cause the system to panic. LOG
> would simple make the kernel log the attempt and then ignore the
> request.
> The only way to unlock the tables would be to reboot the machine. I know
> that this system if not 100% foolproof, as the attacker could install a
> custom kernel, and then reboot the machine, but it would cirtanly make
> at lot harder for most attackers
> I really hope that this feature could be implemented. I know that is is
> not excatly trivial to implement as the address of the bit signifying
> that the tables are lock would need to be hidden to avoid the attacker
> to simply write a zero the the specific address to unlock the tables.
> Regards
> Anders Fugmann
> P.s.
> Please CC me on replys, as I'm not on the list.

- -- 
         admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)


More information about the netfilter mailing list